#!/bin/bash

#Modified by oXis for the Wifi Pineapple (OpenWRT)

# Written by Sitwon and The Doctor.
# Copyright (C) 2013 Project Byzantium
# This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.

arp () { cat /proc/net/arp; } # arp function

IPTABLES=/usr/sbin/iptables
ARP=arp
IP=172.16.42.1

case "$1" in
    'init')

        # Convert the IP address of the client interface into a netblock.
        CLIENTNET=`echo $IP | sed 's/1$/0\/24/'`

        # Exempt traffic which does not originate from the client network.
        $IPTABLES -t mangle -I PREROUTING -p all ! -s $CLIENTNET -j RETURN

        # Traffic not coming from an accepted user gets marked 99.
        $IPTABLES -t mangle -A fwmark -j MARK --set-mark 99

        # Traffic which has been marked 99 and is headed for 80/TCP or 443/TCP
        # should be redirected to the captive portal web server.
        $IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $IP:80
        # Need to activate HTTPS on the nginx server of the PineAP, so for now HTTPS traffic is dropped.
        #$IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 443 -j DNAT --to-destination $IP:443

        # for use with dns spoff
        $IPTABLES -t filter -A forwarding_rule -p udp --dport 53 -j ACCEPT
        $IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53

        $IPTABLES -t filter -A input_rule -p tcp --dport 80 -j ACCEPT #Webserver
        #$IPTABLES -t filter -A input_rule -p tcp --dport 443 -j ACCEPT #Webserver
        $IPTABLES -t filter -A input_rule -p tcp --dport 1471 -j ACCEPT #PineAP admin page
        $IPTABLES -t filter -A input_rule -p tcp --dport 22 -j ACCEPT #SSH

        # All other traffic which is marked 99 is just dropped
        $IPTABLES -t filter -A forwarding_rule -m mark --mark 99 -j DROP
        # Even on INPUT rule
        $IPTABLES -t filter -A input_rule -m mark --mark 99 -j DROP

        exit 0
        ;;
    'add')
        # $2: IP address of client.
        CLIENT=$2

        # Isolate the MAC address of the client in question.
        CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'`

        # Add the MAC address of the client to the whitelist, so it'll be able
        # to access the mesh even if its IP address changes.
        $IPTABLES -t mangle -I fwmark -m mac --mac-source $CLIENTMAC -j RETURN
        $IPTABLES -A INPUT -m mac --mac-source 74:da:38:5a:03:66 -p udp --dport 53 -j ACCEPT

        exit 0
        ;;
    'remove')
        # $2: IP address of client.
        CLIENT=$2

        # Isolate the MAC address of the client in question.
        CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'`

        # Delete the MAC address of the client from the whitelist.
        $IPTABLES -t mangle -D fwmark -m mac --mac-source $CLIENTMAC -j RETURN

        exit 0
        ;;
    'purge')
        CLIENTNET=`echo $IP | sed 's/1$/0\/24/'`
        # Purge the user defined chains
        $IPTABLES -t mangle -F fwmark
        $IPTABLES -t nat -F prerouting_rule
        $IPTABLES -t filter -F input_rule
        $IPTABLES -t filter -F forwarding_rule
        $IPTABLES -t mangle -D PREROUTING -p all ! -s $CLIENTNET -j RETURN

        $IPTABLES -t nat -D prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53

        exit 0
        ;;
    'list')
        # Display the currently running IP tables ruleset.
        $IPTABLES --list -t nat -n
        $IPTABLES --list -t mangle -n
        $IPTABLES --list -t filter -n

        exit 0
        ;;
    *)
        echo "USAGE: $0 {initialize|add <IP>|remove <IP>|purge|list}"
        exit 0
    esac